Vulnerability Disclosure

Vulnerability Disclosure

Latest update: May 09, 2023

As a security company, we know that any system and infrastructure can be(come) vulnerable. We encourage everyone to report security vulnerabilities. This protects us, our customers, partners and stakeholders and makes the world a little more secure.

Contact

You can submit vulnerabilities via security@heylogin.com. If your email includes sensitive information, please use the OpenPGP key 327E E095 BDC1 BD81 631C 8D82 2949 0F2D 481F 4E59.

Vulnerability Disclosure Policy (VDP)

Safe harbour

We will not take any legal action against activities complying with this policy. If legal actions are initiated by third parties due to activities compliant with this policy, we will take actions to make it known to responsibles and/or legal authorities.

Our promise

We will review and respond to your report promptly and conduct an open dialog with you. We will provide a timeline for when we expect the vulnerability to be fixed. We adhere to the standard 90 day disclosure deadline policy.

Your promise

You promise to use discovered vulnerabilities for no other purpose than reporting them to us. Vulnerabilities are reported exclusively and privately, promptly after detection. You promise to not take actions with the intention to harm us, our customers, partners, or any other stakeholder.

Bug bounty

We currently do not offer a bug bounty. This may change in the future.

Scope

The scope of this vulnerability disclosure policy (VDP) includes:

  • web app on heylogin.app
  • heylogin browser extensions for Chrome, Firefox, Safari and Edge
  • heylogin iOS and Android app

The following activities are prohibited:

  • Denial of service (incl resource-exhaustion, automated scanners with high loads, deleting data, fuzzing, etc)
  • Spamming
  • Social engineering (including phishing)
  • Physical access (incl entering or surveilling properties)
  • Attacking non-internet facing systems (internal networks, private IPs, workstations, etc)
  • Installing persistent backdoors

Issues without direct security impact, lack of hardening, or defense-in-depth measures are out of the scope of this VDP. This includes (but is not limited to):

  • Presence/absence of DKIM/SPF/DMARC/AAC records
  • Missing http headers (such as CSP, Permissions-Policy, etc)
  • Clickjacking
  • Missing http cookie flags
  • Information disclosure of non-sensitive contents (like robots.txt, sitemap.xml, files, directories, etc)
  • Absence of best practices
  • Self-Attacks
  • CSRF with low or no impact
  • Open ports
  • Attacks requiring pre-conditions that would be security issues per se (e.g. usage of outdated browsers, vulnerable browser plugins)
  • Lookalike domains
  • Homograph attacks
  • Broken links
  • Metadata in assets (like images, PDFs, etc)
  • Theoretical attacks with no realistic exploit scenario
  • Software that is out of date without proven security impact
  • Recently patched vulnerabilities in third-party software within two weeks after publication

Thank you ❤️

Thank's to all who report security vulnerabilities to us.